Towards efficient verifiable multi-keyword search over encrypted data based on blockchain

Searchable symmetric encryption (SSE) provides an effective way to search encrypted data stored on untrusted servers. When the server is not trusted, it is indispensable to verify the results returned by it. However, the existing SSE schemes either lack fairness in the verification of search results, or do not support the verification of multiple keywords. To address this, we designed a multi-keyword verifiable searchable symmetric encryption scheme based on blockchain, which provides an efficient multi-keyword search and fair verification of search results. We utilized bitmap to build a search index in order to improve search efficiency, and used blockchain to ensure fair verification of search results. The bitmap and hash function are combined to realize lightweight multi-keyword search result verification, compared with the existing verification schemes using public key cryptography primitives, our scheme reduces the verification time and improves the verification efficiency. In addition, our scheme supports the dynamic update of files and realizes the forward security in update. Finally, formal security analysis proves that our scheme is secure against Chosen-Keyword Attacks (CKA), experimental analysis demonstrations that our scheme is efficient and viable in practice.


INTRODUCTION
With the development of artificial intelligence, the Internet of Things, the Internet of Vehicles and other emerging technologies, more and more enterprises and individuals outsource local data to the cloud, thereby reducing storage and management overhead. However, security and privacy concerns still hinder the deployment of the cloud storage system. Although data encryption can eradicate such concerns to some extent, it becomes difficult for users to search over the data.
Searchable symmetric encryption (SSE) provides an efficient mechanism to solve this, which enables users to search encrypted data efficiently without decryption. Since SSE was first proposed by Song, Wagner & Perrig (2000), how to perform efficient and versatile search on encrypted data has always been an important research direction. The existing SSE schemes mainly use linked lists and vectors to build indexes, the cloud server needs to traverse the whole list or vector to search for matching results during a query, which incurs high search overhead. In addition to efficient searching, dynamic updates are also very important in SSE. Zhang, Katz & Papamanthou (2016) has shown that adversaries can infer the critical information through the file injection attacks during the dynamic update of the SSE, while the forward-secure SSE can avoid this. Therefore, the forward security of the scheme must be fully considered when designing the SSE scheme.
Verifiability of the search results is another important research issue for SSE. Since the cloud server is untrusted, which may returns incorrect or incomplete results due to system failures or cost savings, so, it is necessary to verify the search results. In 2012, Chai & Gong (2012) proposed the concept of verifiable SSE (VSSE) and constructed a verifiable SSE scheme based on word tree. Following this work, a great many VSSE schemes are proposed Kurosawa & Ohtaki (2012), Sun et al. (2015), Zhu, Liu & Wang (2016), Liu et al. (2017), Zhang et al. (2019) and Chen et al., 2021). In these schemes, the verification is mainly performed by users, but the user may forge verification results to save costs, so the reliability of the verification cannot be guaranteed. To address this, some researchers Hu et al., 2018;Li et al., 2019;Guo, Zhang & Jia, 2020) introduce blockchain into SSE to verify search results, which guarantees the fairness and reliability of the verification. Although blockchain achieves fair verification of search results, but the existing schemes are only for a single keyword, and there is little research on fair verification for multi-keywords.
In this paper, we introduce a verifiable multi-keyword SSE scheme based on blockchain, which can perform efficient multi-keyword search, ensures the fairness of verification, and supports the dynamic update of files. To our knowledge, this is the first scheme to verify the search results of multi-keywords fairly. In general, the contributions of this paper are summarized as follows: • Our scheme realizes efficient multi-keyword search and verification of search results, at the same time, our scheme supports dynamic update of files and achieves forward security.
• Our scheme utilizes blockchain to verify the search results, ensuring the reliability and fairness of the verification results. Combining bitmap index and hash function, we realize lightweight multi-keyword verification to improve verification efficiency.
• We formally prove that our scheme is adaptively secure against CKA, and we conduct a series of experiments to evaluate the performance of our scheme

Searchable symmetric encryption
Since SSE was proposed, a number of works have been done to improve search efficiency, rich expression and advanced security. The first SSE scheme (Song, Wagner & Perrig, 2000) enables users to search keywords through full-text scanning, search time increases linearly with the size of files, which is impractical and inefficient. To improve efficient, Curtmola et al. (2006) proposed an inverted index SSE, which achieves sub-linear search time, and gives a definition of SSE security, but this scheme does not support dynamic operations. Wang et al. (2010) expanded the scheme of Curtmola et al. (2006) to support dynamic operations, and proved that the scheme was adaptively secure against chosen-keyword attacks (CKA2-secure). For the schemes that support dynamic operation, forward security is critically crucial. The research of Cash et al. (2013), Cash et al. (2015) and Zhang, Katz & Papamanthou (2016) indicated that in the SSE scheme without forward security, the adversary can recover most of the sensitive information in ciphertext at a small cost, their research shows the importance of forward security. Multi-keyword search is a crucial means to improve search efficiency. In single-keyword search scheme (Song, Wagner & Perrig, 2000;Curtmola et al., 2006;Wang et al., 2010;Kamara, Papamanthou & Roeder, 2012), the server returns some irrelevant results, while the multi-keyword search (Cash et al., 2013;Lai et al., 2018;Xu et al., 2018;Wang et al., 2018;Liang et al., 2020;Hozhabr, Asghari & Javadi, 2021;Liang et al., 2021) gains higher search accuracy and more accurate results. To further improve search efficiency, Abdelraheem et al. (2016) proposed an SSE scheme on encrypted bitmap indexes to support multi-keyword search, but requires two rounds of interactions with the cloud server. Zuo et al. (2019) proposed a secure SSE scheme based on bitmap index which supports dynamic operations with forward and backward security, but this scheme lacks the verification of the results.

Verifiable searchable symmetric encryption
In SSE, it is necessary to verify the results since the server is untrusted. Chai & Gong (2012) proposed the concept of verifiable searchable symmetric encryption (VSSE) and constructed a VSSE scheme based on word tree. Along this direction, some other VSSE schemes (Kurosawa & Ohtaki, 2012;Zhu, Liu & Wang, 2016;Liu et al., 2017;Miao et al., 2019;Ge et al., 2019) are proposed. These schemes are the verification of single keyword search results, Azraoui et al. (2015) combined polynomial-based accumulators and Merkle trees to achieve conjunctive keyword verification. Wan & Deng (2016) used homomorphic MAC to verify the results of multi-keyword search. Li et al. (2021) utilized bitmap index to gain high efficiency of multi-keyword search, and verified the results by RSA accumulator. Ge et al. (2021) andLiu et al. (2021) proposed their verifiable schemes in the Internet of things. These schemes verify the results of multi-keyword search by public key cryptography primitives, which is computationally expensive and inefficient. What is more, these multi-keyword search verifiable schemes mainly focus on verifying the returned files are valid and whether the files really contains the query keywords, but they didn't ensure all files containing the query keywords are returned.

Verifiable searchable symmetric encryption based on blockchain
In the existing SSE schemes, the verification of search results is performed by users. However, users may forge verification results for economic benefits, which damages the fairness of verification. To solve this, a flexible and feasible method is to adopt blockchain to verify search results, which uses the non-repudiable property of the blockchain to ensure the reliability and fairness of verification. Hu et al. (2018)    scheme combined blockchain and SSE, which can verify the results automatically and reduce the calculation of users. Guo, Zhang & Jia (2020) used the blockchain to realize the public authentication of search results, and ensures forward security of dynamic update. Although these schemes realize the fair verification of search results, but they are mainly for single keyword search, whereas there is little research on the fair verification of multi-keyword. Comparison results with existing schemes are shown in Table 1.

PRELIMINARIES Bitmap
To improve search efficiency, we use the bitmap (Spiegler & Maayan, 1985) to build inverted index. Bitmap uses a binary string to store a set of information, which can effectively save storage space, and it has been widely used in the field of ciphertext retrieval. In our scheme, each keyword w i corresponds to a bitmap, which contains bits, is the number of files in the system, if the i−th document contains w i the value of in position i is 1, otherwise 0. For example, there are four files (f 1 , f 2 , f 3 , f 4 ) and two keywords (w 1 , w 2 ), in Fig. 1, w 1 is contained in f 1 and f 3 , w 2 is contained in f 2 and f 3 , the bitmap of w 1 and w 2 are 1010 and 0110. If we want to search files that contains both (w 1 and w 2 , we need to do AND operation on the two bitmaps, i.e., 1010 ∧ 0110=0010, that indicates that f 3 contains both w 1 and w 2 .

Blockchain
Blockchain is a distributed database, which is widely used in emerging cryptocurrencies to store transaction information such as bitcoin. The blockchain has the features of decentralization, transparency and unforgeability. There is no central server in the blockchain, all nodes participate in the operation and generate the calculation results, the information stored on the blockchain can be seen by all nodes in the network. All nodes of the blockchain share the same data record, under the action of the consensus mechanism, a single node cannot modify the data stored on the chain. The above characteristics of blockchain make it suitable to be a trusted third party for fair verification.

System model
The system model of our scheme is shown in Fig. 2, there are four entities in the system: data owner, cloud server, data user, blockchain. For the files F in the system, data owner extracts all keywords and generates a keyword set W. Data owner encrypts files to a database T , builds an encrypted index T B and a checklist B, T B and T are sent to cloud server, T B and B are sent to blockchain. When a data user joins the system, it sends an authentication request to the data owner, obtains keys and system parameters. During a query, the data user generates search token TK i,Q according to the keywords to be queried with the help of keys and system parameters, and then sends it to cloud server and blockchain, respectively. Cloud server provides storage services for index T B and T . In addition, the cloud server performs ciphertext retrieval according to the search token TK i,Q , and sends the matched results to blockchain for verification. To verify the search results of multiple keywords, the blockchain performs two steps: (1) benchmark. On receiving TK i,Q , the blockchain performs multi-keyword search on the index T B to get the identifiers ID of files that meets the query, then gets the corresponding hash values H of files from the checklist B according ID, and computes the benchmark Acc using H; (2) verification. After receiving the results returned by cloud server, the blockchain computes the hash values H of results and computes the verification value Acc , then the blockchain compares Acc and Acc to generate the proof. The proof and search results are sent to data user, the verification is completed.

Threat model
Like other verifiable SSE schemes (Soleimanian & Khazaei, 2019), we assume that the cloud server is malicious, which may return an incorrect or incomplete search result for selfish reasons, such as saving bandwidth or storage space. In addition, we assume that the data user is also untrusted, since it may forge the verification results for economic benefits. The data owner and blockchain are trusted, they execute the protocols in the system honestly.
• (T,T B ,B) ← Setup(K ,W,F), takes system keys K , the keyword set W and the set of files F as input, outputs a database of encrypted files T , an encrypted index T B and a checklist B.
• (K 1 , ) ← ClientAuth(A i ), takes the attribute A i of user as input, outputs secret key K 1 and the keyword status .
• TK i,Q ← TokenGen(K 1 ,W), takes secret key K 1 , a set of keywords to query W = {w 1 ,w 2 ,...,w t }, outputs the search token TK i,Q . • (R,Acc) ← Search(T,T B ,B,TK i,Q ), takes search token TK i,Q , the encrypted database T , encrypted index T B and the checklist B as input, and outputs the search results R and the benchmark Acc.
• (R,proof ) ← Verify(R,Acc), takes the search results R, and the benchmark Acc as input, outputs the verification proof proof and results R.
, takes the set of files to update F , the set of keywords W and system keys K = {K 1 ,K 2 ,K 3 } as input, and outputs the update token (τ s ,τ b ).
, takes encrypted database T , encrypted index T B and the update token (τ s ,τ b ) as input, outputs the updated database T , updated index T B and the updated checklist B .

Security definitions
We prove the security of our scheme with the random oracle model, which can be executed by two probabilistic games Real A (λ) and Ideal A,S (λ), and we have the following definitions: Real A (λ): The challenger runs KeyGen(1 λ ) to generate secret key K = {K 1 ,K 2 ,K 3 }, the adversary A outputs F and W. The challenger triggers this experiment to run Setup(K ,W,F), outputs the index T B , T and B, which are sent to A.A generates a series of adaptive queries Q = {q 1 ,q 2 ,...,q t }, for each q i ∈ Q, the challenger generates search or update tokens, A receives those tokens and generates a bit b as the output of this experiment.
Ideal A,S (λ): The adversary A outputs F and W, the simulator S generates the index T B , T and B through L Setup , A receives them. A generates a series of adaptive queries Q = {q 1 ,q 2 ,...,q t } , for each q i ∈ Q, the simulator S generates search or update tokens with L Search and L Update , A receives those tokens and generates a bit b as the output of this experiment. If for any probabilistic polynomial time (PPT) adversary A, there exist an efficient simulator S, which satisfies that: where negl is an negligible function and λ is the security parameter.

CONSTRUCTION
In this section, we present the construction of our scheme in detail. We take bitmap as index structure to achieve efficient search over encrypted data, and use blockchain to verify the search results. The bitmap is utilized to build the inverted index to achieve the optimal search time O |q| , where q is the keywords in search and |q| is the number of q.
In our scheme, the blockchain is used to fairly verify the search results. In Setup, the data owner calculates the hash value of files, generates a checklist B and saves it on the blockchain. During the verification, the blockchain smart contract computes the hash values of search results returned by the server and compares them with the existing results to obtain the verification results.
Specifically, in the single keyword setting, the blockchain stores the corresponding benchmark directly since the results corresponding to the keywords are determined. However, it's impossible in multi-keyword search because the search results are variable, which can only store the verification value of each file. To ensure the credibility of the search results, the blockchain also needs to perform multi-keyword search to obtain the search results. Therefore, we save the index T B on the blockchain. During a query, the blockchain executes multi-keyword search to get the search results, and read the verification value hash i of each file in search results to generate the benchmark Acc, then the blockchain compares Acc with search results returned by cloud server to complete the verification. K ← KeyGen(1 λ ): This algorithm is executed by the data owner, given a security parameter λ ∈ N, this algorithm generates the secret key K = {K 1 ,K 2 ,K 3 }, where K 1 ,K 2 ,K 3 ← {0,1} λ , K 1 ,K 2 are used to encrypt the bitmap index for each keyword w i ∈ W, K 3 is used to encrypt files f i ∈ F and store the hash value of files.

Proposed construction
( Generate a bitmap index B w j for each w j 9: (K 1 , ) ← ClientAuth(A i ): It needs to register to the data owner when a new data user who wants to query files on the cloud server joins the system. The data user submits attribute A i to the data owner through this algorithm to obtain the keyword status and the key K 1 .
TK i,Q ← TokenGen(K 1 ,W): It takes the key K 1 and the set of keywords to query W = {w 1 ,w 2 ,...,w t } as input, output a search token TK i,Q , as is shown in Algorithm2. For each keyword w i ∈ W, the data user computes the position l w i of w i in index T B as Data user sends TK i,Q to cloud server and blockchain, respectively.
(R,Acc) ← Search(T,T B ,B,TK i,Q ): This algorithm takes search token TK i,Q , index T B and ciphertext database T as input, and outputs search results R. On receiving the search token, the cloud server and blockchain perform the same operations for multi-keyword search. They all parse out the position l w i of the keyword in the token TK i,Q , and get the bitmap To achieve multi-keyword search, they compute B = B 1 ∧ B 2 ∧ ... ∧ B t , the cloud server gets files in T according to B with regard to B[i] = 1, and sends them to the blockchain to verify. Similarly, the blockchain gets hash values {hash 1 ,hash 2 ,...,hash s } of files in B according to B, computes Acc = hash 1 ⊕ hash 2 ⊕ ··· ⊕ hash s as the benchmark for verification, and the details are shown in Algorithm 2.

Algorithm 2 Search
Require: K 1 , W = {w 1 ,w 2 ,...,w t }, T, T B , B Ensure: T K i,Q , R, Acc 1: Data user: 2: for w i ∈ W do 3: 4: end for 5: return T K i,Q ← (l w 1 ,l w 2 ,...,l w t ) 6: Send T K i,Q to cloud server and blockchain 7: Server, Blockchain: 10: end for 11: B = B 1 ∧ B 2 ∧ ... ∧ B t 12: Server: 13: gets ciphertext R = {c 1 ,c 2 ,...,c s } form T 14: Blockchain: 15: gets checklist L = {hash 1 ,hash 2 ,...,hash s } from B with B 16: Acc = hash 1 ⊕ hash 2 ⊕ ··· ⊕ hash s (R,proof ) ← Verify(R,Acc): This algorithm takes search results R and benchmark Acc as input, outputs search results R and proof , and the verify process is shown in Algorithm 3. To verify the integrity of files, the data owner calculates the hash value of each file through hash i ← H (c i ) in the Setup, and adds hash i to the checklist B, then B is sent to the blockchain. Through algorithm Search, the blockchain gets the search result of multiple keywords, obtains the hash value of each file in the result from B, and computes the benchmark Acc. To verify the search results, the blockchain calculates H W of R and compares it with Acc.
In proof = false, Result ← φ 10: end if 11: sends (proof, Result) to data user equal, the proof is true, otherwise false. At last, the search results R and proof are sent to data user. During the verification, Acc is calculated through the hash value stored on the blockchain, due to the unforgeability of blockchain, thus Acc is unforgeable. In addition, the verification is completed by the blockchain, so the proof is also unforgeable, which ensures the fairness of verification.
(τ s ,τ b ) ← UpdateToken(F,W ,K ): The data owner generates an update token through this algorithm, which takes files F, a keyword set W and secret key K as input, and outputs update token(τ s ,τ b ). For files f k ∈ F, the data owner encrypts and calculates the hash value of f k by c k ← Enc(K 3 ,f k ) and hash k ← H (c k ), respectively. For keywords W = {w 1 ,w 2 ,...,w s } that contained in f k , the data owner generates a bitmap B w j for each w j ∈ W , and encrypts B w j with v B ← B w j ⊕ H (l w j ||st ), where l w j ← H (u w j ||st ), u w j ← F (K 1 ,H (w j )), st ← F (K 2 ,st 0 ).
(T ,T B ,B ) ← Update(T,T B ,B,τ s ,τ b ): This algorithm takes encrypted database T , index T B , checklist B, update token (τ s ,τ b ) as input, and outputs updated database T , updated index T B and updated checklist B . The details are shown in Algorithm 4.

Forward security
As described above, dynamic update is the foundation function of an SSE scheme, and forward security is an indispensable component of dynamic update. In Algorithm 4, when updating a file f i that contains keyword w j , the data owner retrieves the previous state st 0 from the local state store , and generates a new state st through st ← F (K 2 ,st 0 ), where F is a pseudo random function and K 2 is kept in local. To search a keyword w j , the data user retrieves the current state st 0 from , with st 0 data user generates a token to be sent to the cloud server and blockchain. Without the key K 2 , the server cannot compute the current state st from a previous state st 0 , therefore it cannot get the current token from a previous, considering that the newly added file f i corresponds to the current token, that means the previous tokens cannot match f i , then forward security is achieved.

SECURITY ANALYSIS
In this section, we analysis the security of our scheme. For the scheme = KeyGen,Setup, ClientAuth, TokenGen,Search,Verify,UpdateToken,Update with the leakage function L = {L setup ,L search ,L update }, we prove that our scheme is L− secure against CKA2 by proving that Real A (λ) and Ideal A,S (λ) are computationally indistinguishable.
Theorem 1. Our scheme is L− secure against CKA2, if the encryption algorithm is secure against chosen-plaintext attacks and the pseudo-random function F and H are secure pseudo-random.
Proof: We use a probabilistic polynomial time simulator S to simulate indexes and a series of tokens. For a PPT adversary A, we prove Theorem 1 by the computational indistinguishability between Real A (λ) and Ideal A,S (λ). In Real A (λ), A gets indexes (T B ,T and B), searches token TK i,Q and updates token (τ s , τ b ) by running Setup, TokenGen and UpdateToken; in Ideal A,S (λ), A gets indexes (T B , T and B ), searches token TK i,Q and updates token (τ s , τ b ) by running L Setup , L Search , L Update . We prove that Real A (λ) and Ideal A,S (λ) are computational indistinguishable by proving that (T B , T , B, TK i,Q , τ s , τ b ) and (T B , T , B , TK i,Q , τ s , τ b ) are indistinguishable.
Simulating index. S initializes three empty tables: T , B , T B , which are used to store file ciphertexts, verification values and bitmaps, respectively. S randomly selects a string f i of length |f i |, and encrypts it through c i ← Enc(K 3 ,f i ), where K 3 is randomly sampled from {0,1} λ .S maintains three mappings: H, U and L, H stores (id i ||K 3 , i ), U stores (H (w i ),u w i ), and the mapping L stores (u w i ||st i ,t w i ). H, U and L are used and updated by the generation of search and update token. S computes the hash value hash i ← H (c i ), c i is stored in T [l i ] and hash i is stored in B [l i ].S selects a string v B of length |v B |, and T , B and T B are simulated by S through the leakage L Setup , the difference between (T B , T , B ) and (T B , T, B) is the generation of (f i , c i , v B ). In ideal environment, (f i , c i , v B ) are randomly selected, since our encryption algorithm is secure against CKA2, F and H are secure pseudo-random functions, therefore , the probability that the adversary A can distinguish between the real environment and the ideal environment is negligible.
Simulating search token. For the keyword w i to query, S gets u w i from the mapping U through calculating H (w i ), S checks whether u w i is contained in U, if so returns the corresponding entity, otherwise randomly picks a u w i in {0,1} and stores (H (w i ),u w i ) in U. Similarly, the experiment gets l w i from L by L[u w i ||st i ], the search token T K i,Q = l w i . Under the assumption that F and H are secure pseudo-random functions, the adversary A cannot distinguish TK i,Q and T K i,Q .
Simulating update token. For file f k to be added, S first randomly selects a bit string c k of length |f k |, and encrypts it through c k ← Enc(K 3 ,f k ).S computes the hash value In such a way, (T B , T, B, TK i,Q , τ s , τ b ) and (T B , T , B , T K i,Q , τ s , τ b ) are indistinguishable for A, and it means for a PPT adversary A, the probability of distinguishing between Real A (λ) and Ideal A,S (λ) is negligible, so we have: Therefore, our scheme satisfies CKA2-security.

PERFORMANCE EVALUATION
In this section, we evaluate the performance of our scheme by constructing a series of experiments, and compared the experimental results with Li et al. (2021) and Guo, Zhang & Jia (2020). Since Guo, Zhang & Jia (2020) do not support multi-keyword search over encrypted data, we compared our scheme with (Li et al., 2021) which supports multikeyword search. We also compared our scheme with (Guo, Zhang & Jia, 2020) in terms of dynamic operations.
We deploy our experiments on a local machine with an Intel Core i7-8550U CPU of 1.80 GHz, 8GB RAM. We use HMAC-SHA-256 for the pseudo-random functions, SHA-256 for the hash function. We use AES as the encryption algorithm to encrypt files. We implement the algorithms in data owner, data user and server using Python and construct the smart contract using Solidity, and the smart contract is tested in with the Ethereum blockchain using a local simulated network TestRPC.
For the dataset, we adopt a real-world dataset, Enron email dataset (WC., 2015), which contains more than 517 thousand documents. We utilize the Porter Stemmer to extract more than 1.67 million keywords and filter that meaningless keywords, such as of, the. At last, we build an inverted index with those keywords to improve the search efficiency of the experiment.

Evaluation of setup
In setup phase, data owner encrypts the files, calculates the initial verification values of ciphertexts, generates the bitmap indexes of keywords, stores them in T, B and T B , respectively.
First, we compare the setup time of our scheme with Li et al. (2021) and Guo, Zhang & Jia (2020), the setup time is related to the number of files in the index and the number of keywords included in each file. Figure  Zhang & Jia (2020) utilizes the linked list instead of bitmap to build the index, it requires more time than the other schemes. Our scheme takes less time than Li et al. (2021), the reason is that Li et al. (2021) adopts RSA accumulator based on public key encryption to verify multi-keyword search results, in contrast, our scheme utilizes hash functions to verify search results, which reduces the computational overhead greatly.

Evaluation of search
For the performance of our scheme, we compare the search time of our scheme with Li et al. (2021). Moreover, to better evaluate the performance of the scheme in multi-keyword search, we perform two settings in a query: 5 keywords and 10 keywords, respectively. In figures, the suffix of the icon indicates the number of keywords in a query, i.e., our scheme_5 indicates the search time spent in our scheme during a query which contains five keywords: our scheme_10 indicates the search time spent in our scheme during a query which contains 10 keywords, similarly, Li et al. (2021)  From Figs. 5 and 6, we can see that the more keywords included in a query, the more time it takes, this is because the more keywords, the search algorithm spends more time to

Evaluation of verify
Here, we evaluate the performance of our scheme in verification, we verify the results of searching for 5 keywords and 10 keywords respectively, and compares the verification time with In addition, the initial verification values in Li et al. (2021) are stored in untrusted server and the verification is performed by the data user, both the server and the user may forge the verification results, while in our scheme, the values are stored in blockchain and the verification is performed by blockchain, cannot be tampered with, hence, our scheme is more fair and secure in verification.
Dynamic update is the important function in SSE, so we evaluate the performance of our scheme in dynamic update by adding a file containing multiple keywords. Figures 9  and 10 show the performance of our scheme, Li et al. (2021) and Guo, Zhang & Jia (2020)  in update time, _5 and _10 indicate that the update document contains 5 keywords and 10 keywords, respectively. We observe that the update time increases with the number of files, since the more files, the longer of the bitmap corresponding to a keyword, then the update algorithm performs more operations when calculating v B ← B w j ⊕ H (u w j ||st ). Moreover, the update time is related to the number of keywords contained in the update file, since the more keywords the file contains, the more indexes to update.

CONCLUSIONS
In this paper, we present an efficient verifiable multi-keyword search SSE scheme based on blockchain, which accomplishes efficient multi-keyword search and verification. In our scheme, the yardstick of the file is stored on the blockchain, and the verification of the search results is also completed by the blockchain, thus the fairness and reliability of the verification can be ensured. In addition, our solution supports the dynamic update of files and guarantees forward security during the update. Formal security analysis and experimental results show that our scheme is CKA2-security and efficient. Our scheme can be widely used in cloud storage systems such as data outsourcing, cloud-based IoT (Ge et al., 2021), medical cloud data (Li et al., 2017), etc., helping to achieve efficient multi-keyword searches, and ensuring the integrity and credibility of search results.